In order to prevent and protect the manufacturers and vendors of products which implement this document from possibly misleading understandings or wrong expectations and gross negligence actions regarding safety-related developments and applications, the following items must be observed and explained in each training, seminar, workshop and consultancy.

A device will not be automatically applicable for safety-related applications just by implementing this document.

In contrast, appropriate development processes according to safety standards must be observed for safety-related products (see IEC 61508, IEC 61511, IEC 602041, IEC 62061, and ISO 13849) and/or an assessment from a notified assessment body is required.

The manufacturer of a safety product is responsible for the correct implementation of this document, as well as the correctness and completeness of the product documentation and information.

Additional important information including corrigenda and errata published by the OPC Foundation and/or PI must be considered for implementation and assessment.

The test specification for this document describes the test cases which are necessary to test the behavior of a SafetyAutomationComponent as described in this document. These tests – or a set of (automated or manual) tests that has been shown to test the behavior in an equivalent way - must be successfully run at a test laboratory accredited by the OPC Foundation or PI. For details on the testing and certification processes, please consult the OPC Test Lab Specification (OPC 10010, all parts). For a possible architecture of an automated way to perform the test cases, see 10.3. Note that this verification step does not substitute the other methods of assessment that are mentioned in this document.

As a rule, the international safety standards are accepted (ratified) globally. However, since safety technology in automation is relevant to occupational safety and the concomitant insurance risks in a country, recognition of the rules pointed out here is still a sovereign right. The national “Authorities” (notified bodies) decide on the recognition of assessment reports.

NOTE Examples of such “Authorities” are the IFA (Institut für Arbeitsschutz der Deutschen Gesetzlichen Unfallversicherung / Institute for Occupational Safety and Health of the German Social Accident Insurance) in Germany, HSE (Health and Safety Executive) in UK, FM (Factory Mutual / Property Insurance and Risk Management Organization), UL (Underwriters Laboratories Inc. / Product Safety Testing and Certification Organization), or the INRS (Institut National de Recherche et de Sécurité) in France.

For details, see the test specification for this document.

The OPC Foundation will publish an automated test tool, the OPC UA Safety Compliance Test Tool (UASCTT), which implements the test cases that are described in the OPC UA Safety test specification using the test principles described in this Subclause 10.3. The UASCTT will be approved by a Notified Body. It is recommended to use the UASCTT to perform the test cases as described in 10.1, item 5).

An exemplary test principle for this document is presented. The test is a fully automated verification based on test patterns covering all paths of the state machines in this document, with the exception of T29 of the SafetyConsumer state machine.

NOTE The reason for T29 of the SafetyConsumer state machine not being tested by the UASCTT is that this transition cannot be triggered externally by the UASCTT by sending SPDUs or inducing other error conditions. The function of T29 according to this specification is to be proven by the manufacturer and be documented by a manufacturer declaration. Details are found in the test specification.

Different types of possible correct and incorrect SPDUs, parameters, and interactions with the upper interface of the SafetyProvider / SafetyConsumer are taken into account. These test patterns together with the expected responses/stimulations are stored as an XML document and imported into the test tool software. The test tool executes the complete test patterns while connected to the OPC UA Safety layer under test, compares the nominal with the actual reactions and is recording the results that can be printed out for the test report.

Figure 25 shows the structure of the layer tester for the SafetyProvider and SafetyConsumer.


Figure 25 – Automated SafetyProvider / SafetyConsumer test

The SafetyProvider / SafetyConsumer tester acts like an opposite SafetyProvider / SafetyConsumer Layer to stimulate the tested SafetyProvider / SafetyConsumer so that all possible states and transitions in the respective state machine are being exercised. Thus, it must be configured according to the deployed OPC UA communication system. This can be done with the help of an XML file associated with the tester.

A so-called “upper tester” runs on top of the SafetyProvider or SafetyConsumer within the device under test (DUT). It transfers data from the SafetyProvider or SafetyConsumer via its SAPI and makes them visible to the test tool via an OPC UA interface that is specified in the test specification (“Set Data” in Figure 26 and Figure 27). In a similar way, the upper tester enables the test-tool to set inputs of the SAPI (“Get Data” in Figure 26 and Figure 27).

The upper tester is implemented by the vendor of the DUT using standard program languages such as C/C++, IEC 61131-3 or Structured Text and does not need to be executed in a safety-related way.

Detailed requirements for the upper tester are described in the test specification.


Figure 26 – “Upper Tester” within the SafetyProvider


Figure 27 – “Upper Tester” within the SafetyConsumer

Subclause 10.4 gives an informative overview of all the requirements (safety and non-safety) which are described in this document. A summary requirement description and the corresponding Clause where the requirement is defined are given. Note that to fully understand a requirement and its context, it is necessary to consult its original definition. This Subclause 10.4 serves as a tool for quick navigation and as a checklist for an overview over all requirements.

For the conventions used for numbering requirements, see 3.3.2.

Table 41 – Index of Requirements (informative)

Requirement Number

Requirement Summary



Implement in devices designed according to IEC 61508 with appropriate SIL

4.2 Implementation aspects


Implement in safety devices only

5.2 Safety functional requirements


Implement safety measures (MNR, timeout with receipt, IDs, data integrity check)

5.3 Safety measures


Process and monitor safety measures in the SCL

5.3 Safety measures


Start CRC calculation with value “1”

5.5 Requirements for CRC calculation


Use CRC result “1” instead of “0”

5.5 Requirements for CRC calculation


Ignore all-zero SPDUs

5.5 Requirements for CRC calculation


Singleton SafetyACSet folder SafetyACSet Object


Objects for SafetyProviders and SafetyConsumers SafetyACSet Object


Usage of Call Service for Client/Server SafetyACSet Object


Usage of SafetyPDUs for PubSub SafetyACSet Object


Provide SPDUs for diagnostics in method ReadSafetyDiagnostics SafetyACSet Object


Restrictions on data types Safety ObjectType definitions


Non-abstract data types for out data Safety ObjectType definitions


Definition of concrete data types for ResponseSPDU ResponseSPDUDataType


Usage of NonSafetyDataPlaceHolder ResponseSPDUDataType


Restriction to scalar types

6.2.5 DataTypes and length of SafetyData


List supported data types in user manual

6.2.5 DataTypes and length of SafetyData


Values for Boolean data type

6.2.5 DataTypes and length of SafetyData


Implementation of SafetyProvider SAPI SAPI of SafetyProvider


Implementation of SafetyProvider SPI SPI of SafetyProvider


Parameters of SafetyProvider SPI SPI of SafetyProvider


Implementation of SafetyConsumer SAPI SAPI of SafetyConsumer


Implementation of SafetyConsumer SPI SPI of the SafetyConsumer


Parameters of SafetyConsumer SPI SPI of the SafetyConsumer


Values for qualifier bits

6.3.6 Principle for “Application variables with qualifier”


SafetyConsumer diagnostic message texts

6.4.2 Diagnostics messages of the SafetyConsumer


RequestSPDU flags RequestSPDU: Flags


Contents and structure of SafetyData in ResponseSPDU ResponseSPDU: SafetyData


Usage of ResponseSPDU flags ResponseSPDU: Flags


Zero out reserved flags ResponseSPDU: Flags


Copy SafetyConsumerID into ResponseSPDU ResponseSPDU: SafetyConsumerID


Copy MonitoringNumber into ResponseSPDU ResponseSPDU: MonitoringNumber


Usage of CRC checksum ResponseSPDU: CRC


Usage of NonSafetyData ResponseSPDU: NonSafetyData


Indication of NonSafetyData ResponseSPDU: NonSafetyData


Answer repeated RequestSPDUs in Client/Server communication SafetyProvider/-Consumer Sequence diagram


Document behavior chosen in RQ7.10 in safety manual SafetyProvider/-Consumer Sequence diagram


Monitor ConsumerCycleTime in safety-related way SafetyProvider/-Consumer Sequence diagram


Implement SafetyProvider behavior SafetyProvider state diagram


Implement SafetyConsumer behavior SafetyConsumer state diagram


Rules for building the ResponseSPDU Build ResponseSPDU


Rules for calculating SPDU_ID fields Calculation of the SPDU_ID_1, SPDU_ID_2, SPDU_ID_3


Values to indicate SafetyProviderLevel_ID Coding of the SafetyProviderLevel_ID


Avoid accidental use of higher SIL indicator Coding of the SafetyProviderLevel_ID


Calculation of SafetyStructureSignature Signature over the Safety Data Structure (SafetyStructureSignature)


No evaluation of SafetyStructureSignature Signature over the Safety Data Structure (SafetyStructureSignature)


Value of SafetyStructureSignatureVersion Signature over the Safety Data Structure (SafetyStructureSignature)


Generator polynomial for CRC signature Calculation of a CRC checksum


Endianess encoding of SafetyData Calculation of a CRC checksum


CRC calculation sequence Calculation of a CRC checksum


Calculate CRC in SafetyConsumer from ResponseSPDU values Calculation of a CRC checksum


Provision of SafetyProviderDelay

8.2 Safety function response time part of communication


Storage of SafetyBaseID and SafetyProviderID

9.1.1 SafetyBaseID and SafetyProviderID


(Option 1) Use stored MNR after restart

9.2 Initialization of the MNR in the SafetyConsumer


(Option 2) Use random MNR after restart

9.2 Initialization of the MNR in the SafetyConsumer


Provision of and information in safety manual

9.5 Safety manual


Indication of SAPI.OperatorAckRequested

9.6 Indicators and displays


Properties of LED indication of SAPI.OperatorAckRequested

9.6 Indicators and displays



12.2 Handling of OPC UA Namespaces